SF-OS vs UTM Features

Major Innovations in OS UTM 9.x Features NOT yet in SF-OS (SF-OS) ÌÌ Customizable dashboard ÌÌ Redesigned user interface with interactive ÌÌ Automated backup and restore (manual only) control center and enhanced navigation ÌÌ One-time password (OTP) / Two-factor authentication ÌÌ New unified policy model with policy types (user, business ÌÌ Zero-config active/passive high- availability (manual setup) application, and network) all managed from a single screen ÌÌ Multiple node clusters (only 2 node clusters are supported) ÌÌ Policy Templates for common business applications ÌÌ VoIP handling for SIP and H.323 connections like Microsoft Exchange or SharePoint that are defined ÌÌ Advanced spam detection techniques: RBL, heuristics, in XML making them easy to customize and share. SPF checking, BATV, URL scanning, grey listing, RDNS/ ÌÌ Policy natural language descriptions HELO checks, expression filter and recipient verification ÌÌ Configure IPS, Web, App, and Traffic Shapping (QoS) ÌÌ Email Encryption: S/MIME, OpenPGP, TLS settings for policies all from a single screen standards and PGP key server support ÌÌ Layer-8 user identity policies ÌÌ Amazon VPC-based site-to-site tunnels ÌÌ Sophos Security Heartbeat connecting Sophos ÌÌ Site-to-Site (Firewall to Firewall) RED endpoints with the Firewall for telemetry and enhanced Tunnels (use SSL/IPSEC instead) ATP protection to identify host, user, and process ÌÌ IPsec Tunnel Binding ÌÌ Policy support for Sophos Security Heartbeat ÌÌ Endpoint Management and SEC Integration to automatically take action in the event ÌÌ Sophos Mobile Control Integration the health of an endpoint changes ÌÌ Uploading of custom WAF rules ÌÌ User Threat Quotient for identifying risky users ÌÌ CSV exporting of reports (Excel format supported) ÌÌ Fully transparent user-based web filtering ÌÌ Nightly compression and rotation of logs without the need for any proxy settings ÌÌ Log file archiving: On-box, FTP, SMB, SSH, Email and Syslog ÌÌ FastPath packet optimization (200% performance boost) UTM 9.x Web Protection & Policy Features Top requested UTM features in SF-OS (changes in SF-OS are noted in orange) (that are not in UTM 9) Web Protection ÌÌ User-based firewall polices ÌÌ URL Filter database with 35 million+ sites ÌÌ Zone-based firewall policies in 96 categories and 65+ languages - new ÌÌ Custom IPS and QoS settings per user or network policy site database backed by SophosLabs ÌÌ Firmware roll-back option ÌÌ Application Control: Accurate signatures ÌÌ Improved reporting (50% more reports) and Layer 7 patterns for thousands of ÌÌ Improved user authentication tools and deeper applications - using Cyberoam engine user identity integration into all firewall areas ÌÌ Dynamic application control based on productivity ÌÌ Packet capture in UI with complete or risk threshold - no productivity option visibility to the packet level ÌÌ View traffic in real-time, choose to block or ÌÌ IMAP Proxy for filtering email shape - no real-time traffic shaping ÌÌ Configuration API for all features for RMM/PSA integration ÌÌ scanning: HTTP/S, FTP and web-based email via ÌÌ Discover Mode (TAP mode) for seamless integration dual independent antivirus engines (Sophos & Avira) block for trials and PoCs (command-line only initially) all forms of viruses, web malware, trojans and ÌÌ Fully transparent HTTPS filtering of URLs ÌÌ Option for selective HTTPS Scanning of untrusted sites ÌÌ Advanced web malware protection with JavaScript emulation ÌÌ Live Protection real-time in-the-cloud lookups for the latest threat intelligence SF-OS vs UTM Features SF-OS vs UTM Features

ÌÌ Potentially unwanted application (PUA) ÌÌ Configuration change tracking ÌÌ Authentication via: Active Directory, eDirectory, ÌÌ Anonymization of reporting data to enforce privacy policy download blocking - not available ÌÌ Email or SNMP trap notification options RADIUS, LDAP and TACACS+ ÌÌ Over 50 Integrated reports ÌÌ Malicious URL reputation filtering backed by SophosLabs ÌÌ SNMP support ÌÌ Single sign-on: Active directory, eDirectory ÌÌ PDF and CSV exporting of reports ÌÌ Reputation threshold: set the reputation Network Routing and Services ÌÌ SSL support ÌÌ Customizable email footers and disclaimers threshold a website requires to be accessible ÌÌ Tools: server settings check, username/password ÌÌ Setup wizard and context sensitive online help ÌÌ Routing: static, multicast (PIM-SM) from internal network - not available testing and authentication cache flush ÌÌ Email header manipulation support and dynamic (BGP, OSPF) ÌÌ Active content filter: File extension, MIME type, JavaScript, ÌÌ Graphical browser for users and groups ÌÌ Protocol independent multicast routing with IGMP snooping End-User Portal ActiveX, Java and Flash - file and MIME type controls ÌÌ Automatic user creation ÌÌ Bridging with STP support and ARP broadcast forwarding ÌÌ SMTP quarantine: view and release but no automatic stripping of ActiveX and Flash ÌÌ Scheduled backend synchronization prefetch ÌÌ WAN link balancing: multiple Internet connections, messages held in quarantine ÌÌ True-File-Type detection/scan within archive files ÌÌ Complex password enforcement auto-link health check, automatic failover, automatic ÌÌ Sender blacklist/whitelist ÌÌ YouTube for Schools enforcement and weighted balancing and granular multipath rules ÌÌ Hotspot access information ÌÌ SafeSearch enforcement ÌÌ 802.3ad interface link aggregation ÌÌ Download the Sophos Authentication Agent (SAA) ÌÌ Apps enforcement - not available Email Protection ÌÌ QoS with full control over bandwidth pools and ÌÌ Download remote access client ÌÌ Reputation service with spam outbreak monitoring based Web Policy download throttling using Stochastic Fairness Queuing and configuration files on patented Recurrent-Pattern-Detection technology ÌÌ Authentication: Active Directory, eDirectory, LDAP, and Random Early Detection on inbound traffic ÌÌ HTML5 VPN portal for opening clientless VPN connections ÌÌ Block spam and malware during the SMTP transaction RADIUS, TACACS+ and local database - no TACACS+ ÌÌ Full configuration of DNS, DHCP and NTP to predefined hosts using predefined services ÌÌ Detects phishing URLs within e-mails ÌÌ Single sign-on: Active Directory, eDirectory, Apple ÌÌ Server load balancing ÌÌ Download HTTPS Proxy CA certificates ÌÌ Global & per-user domain and address black/white lists Open Directory - no Apple Open Directory ÌÌ IPv6 support ÌÌ Recipient Verification against Active Directory account ÌÌ Proxy Modes: Standard, (Fully) Transparent, Authenticated, ÌÌ RED support ÌÌ E-mail scanning with SMTP and POP3 support Single sign-on and Transparent with AD SSO* ÌÌ VLAN DHCP support and tagging ÌÌ Dual antivirus engines (Sophos & Avira) VPN Options ÌÌ Transparent captive portal with authentication ÌÌ Multiple bridge support ÌÌ True-File-Type detection/scan within archive files ÌÌ PPTP, L2TP, SSL, IPsec, HTML5-based and Cisco client- ÌÌ Support for separate filtering proxies in different modes Network Protection ÌÌ Scan embedded mail formats: Block malicious based remote user VPNs, as well as IPsec, SSL, and Sophos ÌÌ Time, user and group-based access policies ÌÌ Stateful firewall and unwanted files with MIME type checking Remote Ethernet Device (RED) plug-and-play VPN ÌÌ Browsing quota time policies and quota reset ÌÌ Intrusion protection: Deep packet inspection ÌÌ Quarantine unscannable or over-sized messages option - global quota, not per category VPN IPsec Client engine, 18,000+ patterns ÌÌ Filter mail for unlimited domains and mailboxes ÌÌ Allow temporary URL filter overrides ÌÌ Authentication: Pre-Shared Key (PSK), PKI ÌÌ Selective IPS patterns for maximum ÌÌ Automatic signature and pattern updates with authentication - not available (X.509), Smartcards, Token and XAUTH performance and protection ÌÌ Sophos Live Anti-Virus real-time cloud lookups ÌÌ Client Authentication Agent for dedicated ÌÌ Encryption: AES (128/192/256), DES, 3DES ÌÌ IPS pattern aging algorithm for optimal performance* per-user tracking - block pages only Email Encryption and DLP (112/168), Blowfish, RSA (up to 2048 Bit), DH ÌÌ Flood protection: DoS, DDoS and portscan blocking ÌÌ Cloning of security profiles ÌÌ Patent-pending SPX encryption for one- groups 1/2/5/14, MD5 and SHA-256/384/512 ÌÌ Country blocking by region or individual country ÌÌ Customizable user-messages for events in local languages way message encryption ÌÌ Intelligent split-tunneling for optimum traffic routing (over 360 countries) with separate inbound/ ÌÌ Custom HTTPS verification CA support ÌÌ Recipient self-registration SPX password management ÌÌ NAT-traversal support outbound settings and exceptions ÌÌ Setup wizard and context sensitive online help ÌÌ Add attachments to SPX secure replies ÌÌ Client-monitor for graphical overview of connection status ÌÌ Site-to-site VPN: SSL, IPSec, 256- bit AES/3DES, ÌÌ Customizable block pages ÌÌ Transparent en-/decryption and digital ÌÌ Multilingual: German, English and French PFS, RSA, X.509 certificates, pre-shared key ÌÌ Custom categorization to override categories signing for SMTP e-mails ÌÌ Remote access: SSL, IPsec, iPhone/ VPN SSL Client or create custom categories ÌÌ Completely transparent, no additional iPad/Cisco VPN client support ÌÌ Proven SSL-(TLS)-based security ÌÌ Site tagging for creating custom site software or client required ÌÌ Connection tracking helpers: FTP, IRC, PPTP, TFTP ÌÌ Minimal system requirements categories - not available ÌÌ Allows content/virus scanning even for encrypted e-mails ÌÌ Identity-based rules and configuration with ÌÌ Profile support for varying levels of access ÌÌ Authentication and filtering options by device type for ÌÌ Central management of all keys and certificates Authentication Agent for users ÌÌ Supports MD5, SHA, DES, 3DES and AES iOS, Android, Mac, Windows and others - not available - no key or certificate distribution required ÌÌ Works through all firewalls, regardless of proxies and NAT ÌÌ Policy testing tool for URLs, times, users Advanced Threat Protection ÌÌ DLP engine with automatic scanning of emails ÌÌ Support for iOS and Android and other parameters - not available ÌÌ Detect and block network traffic attempting to and attachments for sensitive data contact command and control servers using ÌÌ Pre-packaged sensitive data type content Clientless VPN DNS, AFC, HTTP Proxy and firewall control lists (CCLs) for PII, PCI, HIPAA, and ÌÌ True clientless HTML5 VPN portal for accessing UTM 9.x Features Available in SF-OS ÌÌ Identify infected hosts on the network more, maintained by SophosLabs applications securely from a browser on any device General Management and contain their network activity Email Management VPN One-Click ÌÌ Selective sandboxing of suspicious code ÌÌ Role-based administration ÌÌ User-quarantine reports mailed out ÌÌ Easy setup and installations of every client within minutes to determine malicious intent ÌÌ Configurable update service daily at customizable times ÌÌ Download of client-software, individual configuration ÌÌ Reusable system object definitions for networks, services, Authentication ÌÌ Log Management service support files, keys and certificates one click away from hosts, time periods, users and groups, clients and servers ÌÌ Transparent, proxy authentication (NTLM/ ÌÌ Customizable User Portal for end-user the Security Gateway end-user portal ÌÌ Self-service user portal for one-click VPN setup Kerberos) or client authentication mail management, in 15 languages ÌÌ Automatic installation and configuration of the client SF-OS vs UTM Features

ÌÌ No configuration required by end user ÌÌ Form hardening engine VPN RED ÌÌ SQL injection protection ÌÌ Cross-site scripting protection ÌÌ Central Management of all RED appliances ÌÌ Dual-antivirus engines (Sophos & Avira) ÌÌ No configuration: Automatically connects ÌÌ HTTPS (SSL) encryption offloading through a cloud-based provisioning service ÌÌ Cookie signing with digital signatures ÌÌ Secure encrypted tunnel using digital X.509 ÌÌ Path-based routing certificates and AES256- encryption ÌÌ Outlook anywhere protocol support ÌÌ RED sites are fully protected by the Network, Web ÌÌ Reverse authentication (offloading) for form-based and Mail security subscriptions of the Firewall. and basic authentication for server access ÌÌ Virtual Ethernet for reliable transfer of all traffic between locations Web Management ÌÌ IP address management with centrally defined ÌÌ Virtual server and physical server abstraction DHCP and DNS Server configuration ÌÌ Integrated load balancer spreads ÌÌ Remotely de-authorize RED devices visitors across multiple servers after a select period of inactivity ÌÌ Skip individual checks in a granular fashion as required ÌÌ Compression of tunnel traffic (RED 50, RED 10 revision 2, 3) ÌÌ Match requests from source networks ÌÌ VLAN port configuration options (RED 50) or specified target URLs Secure Wi-Fi ÌÌ Support for logical and/or operators ÌÌ Assists compatibility with various configurations ÌÌ Simple plug-and-play deployment, and non-standard deployments automatically appearing in the Firewall ÌÌ Options to change WAF performance parameters ÌÌ Central monitor and manage all access points (APs) and ÌÌ Scan size limit option wireless clients through the built-in wireless controller ÌÌ Allow/Block IP ranges ÌÌ Integrated security: All Wi-Fi traffic is ÌÌ Wildcard support for server paths automatically routed through the Firewall ÌÌ Automatically append a prefix/suffix for authentication ÌÌ Wireless 802.11 b/g/n at 2.4 GHz and 5GHz (AP 50) ÌÌ Power-over-Ethernet 802.3af (AP 30/50) Logging and Reporting ÌÌ Multiple SSID support: Up to 8 ÌÌ Logging: Remote syslog, ÌÌ Strong encryption supports state-of-the-art ÌÌ On-box reporting: Packet filter, intrusion protection, wireless authentication including WPA2-Enterprise bandwidth and day/week/month/year scales and IEEE 802.1X (RADIUS authentication) ÌÌ Identity-based reporting ÌÌ Wireless guest Internet access with customizable ÌÌ PDF report exporting splash pages on your captive portal ÌÌ Executive report scheduling and archiving ÌÌ Voucher-based guest access for daily or weekly access ÌÌ Reactive reporting engine crafts reports as you click on data ÌÌ Time-based wireless network access ÌÌ Save, instantly email or subscribe recipients to any reports ÌÌ Wireless repeating and bridging meshed ÌÌ Hundreds of on-box reports network mode with AP 50 ÌÌ Daily activity reporting ÌÌ Hotspot backend authentication support ÌÌ URL filter override report (RADIUS, TACACS, LDAP, AD) ÌÌ Per-user tracking and auditing ÌÌ Automatic channel selection background optimization ÌÌ Anonymization of reporting data to enforce privacy policy ÌÌ Multi-tenant hotspot administration ÌÌ Full transaction log of all activity in human-readable format ÌÌ Support for HTTPS login support ÌÌ Web log searching parameters per user, URL or action Web Application Firewall Protection ÌÌ Sophos iView dedicated reporting appliance ÌÌ Reverse proxy ÌÌ URL hardening engine with deep-linking and directory traversal prevention

United Kingdom and Worldwide Sales North American Sales Australia and New Zealand Sales Asia Sales Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802 Tel: +61 2 9409 9100 Tel: +65 62244168 Email: [email protected] Email: [email protected] Email: [email protected] Email: [email protected]

Oxford, UK | Boston, USA © Copyright 2013. Sophos Ltd. All rights reserved. Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

1129-02.13DD.dsna.simple